top of page

Establishing Sustainable Regulatory Compliance by Design

  • Writer: Julien Haye
    Julien Haye
  • Nov 17, 2021
  • 9 min read

Updated: May 4

Cover image for the blog post titled 'Establishing Sustainable Regulatory Compliance by Design' by Aevitium LTD. The left side features the blog title and subtitle on a white box over a blue background. The subtitle reads: 'How financial firms can shift from reactive compliance to proactive, risk-aligned implementation by design.' On the right, a hand holds a green icon showing a white checkmark inside a ribbon badge.
Do you favour day 1 compliance over sustainable compliance by design?

In more than two decades working in financial services, I rarely came across a “successful” regulatory implementation, let alone one that delivered sustainable, ongoing compliance.


This was not due to a lack of effort. Most firms invested significant time, people and resources. But projects often ran behind schedule, focused too narrowly on day 1 compliance, and were treated as add-ons to existing business processes. This added complexity, increased costs, and introduced new risks, often leading to future compliance breaches.


At its core, the challenge is strategic. Compliance is still too often seen as a technical exercise rather than a business capability. That approach misses the purpose of regulation.


Regulation is about intent. It is about the "why", such as investor protection or market integrity, not just the "what" and "how" contained in thousands of pages of rules.


Strong regulatory frameworks are designed to promote financial stability, protect consumers, and ensure the resilience of the financial sector. In the UK, the Financial Conduct Authority (FCA) plays a central role in overseeing these obligations.


So when firms focus on regulatory expectations and outcomes, they create opportunities to go beyond minimum compliance. They strengthen trust, improve services and reduce long-term risk.


To achieve this, firms need a shift in mindset. They need to stop layering compliance on top of outdated processes. They need to start building it into the way the business operates.


They need compliance by design.


What is financial regulation?

“Financial regulation refers to the rules and laws that firms operating in the financial industry, such as banks, credit unions, insurance companies, financial brokers and asset managers, must follow. However, financial regulation is more than just having rules in place - it's also about the ongoing oversight and enforcement of these rules” – Central Bank of Ireland

Yet financial firms face much more than financial regulations. The broader their operations, the greater the range of regulatory bodies and requirements they must navigate. These include tax codes, labour laws, data protection rules, cybersecurity standards, ESG disclosures and consumer protection frameworks.


In reality, most regulatory obligations cut across departments. They touch how firms manage people, structure operations, use technology, deliver products and oversee risk. When these rules are treated in isolation or added on after the fact, they create overlap, inefficiency and blind spots.


I will return to these dynamics later in the article and explore why they make a strong case for compliance by design.


Why does Regulatory Compliance matter?


The ability to conduct financial transactions has been at the heart of our societies for millennia. It underpins our ability to exchange, to trade and execute many more fundamental human activities. Here is an interesting article on the background of History of Money and Payments.


In that context, the primary purpose of financial regulations is to maintain a stable financial system and to protect consumers. It is to protect our societies and our way of life. Regulation also plays a critical role in maintaining public trust, especially when the actions of a few can undermine confidence in the entire financial system.

To my mind, regulators tend to step in when the financial industry fails to do what it is supposed to do. When financial activities have, or are about to destabilise the financial system and our wider society, whether because of too much of risk taking, too many uncontrolled innovations, and/or too much greed.

Sometimes, regulation is also about creating a level playing field and promoting market integration across jurisdictions. For example, the General Data Protection Regulation (GDPR) aims to harmonise standards in data protection. Increasingly, regulators are applying similar expectations in other areas, such as climate disclosures, organisational culture and operational resilience.


In both cases, regulatory compliance is about more than following rules. It is a response to gaps in behaviour, governance or system design. It reflects the role of finance in serving and protecting society.


What does Regulatory Compliance mean for the financial industry?


An easy way to avoid regulations is not to “mess up”, preferably by constantly keeping the interest of our clients, consumers, and the wider financial system at the heart of what we do. Thus, protect our society and its people.


The alternative is to establish the mechanisms to oversee our activities and stay attuned to what regulators expect us to prioritise. That means being diligent in adhering to both the spirit and the letter of the law.


These are two sides of the same coin. One is rooted in purpose, the other in process.

Ultimately, regulatory compliance is not just a cost of doing business. It is a foundation for long-term trust, resilience and competitive advantage.


How to identify applicable laws, rules and regulations?


This is about horizon scanning, ie. a mechanism built to enable early and systematic detection of all applicable laws, rules, and regulations (LRRs)


Financial firms are subject to many types of LLRs coming from many different regulatory bodies (in the UK it could be HMRC, the FCA, the PRA, etc.) The bigger the footprint, the wider the scope of LRRs to consider and their sources.

In my experience, this invariably triggers a debate on compliance department vs compliance function, including key aspects such as the scope of Compliance department (e.g. if they are focused on financial regulations), compliance monitoring, etc.

Some of the most stringent regulations pertain to labour laws, physical security, employee safety, etc. I found over time, that these types of regulations are rarely on the radar of a compliance function and can trigger multi-million-dollar fines – or worse, when it comes to employee safety.


A few years ago, I had my team develop a “regulatory radar” and gathered a very large group of SMEs from many functions to fill and maintain it. The objective was to identify and assess relevant LLRs and be clear on the time horizon.


As it turned out, most departments across the firm knew what regulatory body(ies) they should monitor for their own purpose and which regulations would apply to them. Bringing some structure to what was an informal process helped -


1) To create a common understanding on and maintain the scope of relevant regulatory sources for the business. This includes which regulatory bodies to consider, from which jurisdiction and the type of “papers”. A big discussion at that time was on the relevance of regulatory speeches and how they could inform current and future expectations across all activities of the firm.


With that, effective horizon scanning also includes awareness of upcoming consultations, freedom of information disclosures, and public statements. These signals help firms anticipate emerging reporting requirements and ensure that regulators' expectations are fully understood and addressed.


2) To share knowledge across all impacted functions and plug any gaps. For instance, certain regulations the Finance department was aware of impacted other functions as part of the process. Without that process, they would not have known about them.


3) To prioritise an initial assessment of new LRRs from a complexity and applicability standpoint. This high-level assessment helped to understand what we should focus on and when, and to inform both executive and boards on resource allocation. This included getting to a common and agreed interpretation of the LRRs across all functions leveraging the expertise of compliance folks.


4) To track progress against an expected regulatory timeline.


This approach proved to be particularly effective at “taming” the flow of new LRRs; but by its very nature, it was forward looking. We decided to proceed with backward looking review after it transpired some regulations had been missed prior to the implementation of this new process. As a result, we established an inventory of existing LRRs and how they were met.


"Infographic titled '7 Steps to Identify Applicable Laws, Rules and Regulations' by Aevitium LTD. The visual presents a linear flow of seven steps: Establish a Horizon Scanning Mechanism – setting up a structured process to detect relevant laws, rules, and regulations. Map Your Regulatory Landscape – listing regulatory bodies based on business footprint. Clarify Roles and Ownership – defining responsibilities within the compliance function. Identify Blind Spots in Non-Financial Regulation – recognising overlooked areas like labour and safety. Build a Regulatory Radar – creating a cross-functional tool to track and assess regulations. Structure the Radar Process Around Four Core Functions – including defining scope, sharing knowledge, prioritising and tracking progress. Conduct a Backward Review – reviewing past regulations and building an inventory. Top right corner includes a statistic: '10,000+ financial regulatory obligations' estimated across the UK, EU, and USA. Visual includes icons for each step and directional arrows linking them sequentially."

Achieving Successful Compliance by Design

I favour getting to compliance by managing the risks targeted by a piece of regulation. This approach relies on getting to compliance “by design” through a business centric vision or target state and an understanding of what needs to be changed or transformed to get there.

As conduct officer, I had to re-establish the conflicts of interest framework at the firm I worked for, following critical feedback from multiple regulators.


Breaking with protocols, I had my team ignore all known regulations and define a framework that would enable effective identification, management and, when relevant, mitigation of all potential and actual conflicts generated by the business and its people. With a single principle: – keep the interests of our clients/customers front and centre to our activities.


We identified 50+ categories of potential sources of conflicts split between business practices (e.g. new product, remuneration, marketing, distribution, asset allocation, etc.) and employee practices (e.g. personal trading, directorship, etc.) by repurposing the existing compliance and risk framework. We also tweaked the existing risk/legal entity governance to bring transparency to the Board and Execs on the existing list of conflicts and enable their oversight. Finally, we had to plug some governance gaps to cater for cross-business conflicts (e.g. the investment bank team being on one side of a deal and the asset management team on the other side).


Once finalised, I had the compliance function assess all aspects of the framework against regulatory expectations across our footprint. As expected, it met regulatory expectations without tweaks.


It was also commended by the business. Until then, they had to cater for various approaches across jurisdiction and product landscape. This led to inconsistent business risk decisions and was confusing for business folks and clients alike.


The standardisation and transparency brought by the framework enabled them to do the right thing, without added complexity – in fact, the number of controls was reduced through standardisation.


Compliance by design also helps firms streamline controls while ensuring accountability across functions. It reduces the unnecessary burden of duplicate checks and simplifies how reporting requirements are met over time.


"Infographic titled '5 Signs You've Achieved Compliance by Design' from Aevitium LTD. The design features a central circle with the title, surrounded by five numbered circular points arranged in a flower-like pattern. Each numbered point contains a sign: You meet regulatory expectations without rework You have fewer, smarter controls Your teams act with clarity and consistency Your governance is transparent and aligned Regulators acknowledge your effectiveness. Aevitium LTD logo appears at the top left."

How to stay compliant?


As long as financial firms will approach regulatory implementation as an add-on to existing activities, they will struggle to maintain ongoing compliance. They will increase complexity especially through control proliferation, and as a result, increase their cost base and their risks. They will also lose out on the business opportunity arising from the ever-changing regulatory landscape.

Successful implementation of LRRs means no need to redo it, no day 2, and never mind being fined for non-compliance months after the official compliance date. More practically, it means establishing sustainable and embedded mechanisms that deliver on expectations.

functional ownership, effective training, consistent communication, strong governance oversight and proactive monitoring.


Firms that invest in these foundations are better equipped to adapt, to operate with fewer surprises, and to create long-term value for their clients and stakeholders.


So what’s next?


Ongoing compliance should be a piece of cake. But it’s not!


Financial firms have a massive opportunity to save on costs; to design and deliver better services and products, and materially increase the value they deliver to their clients and other stakeholders, all whilst meeting regulatory expectations.


Regulatory compliance can cost anywhere between 6-10% of a firm’s revenues every year based on the Bloomberg survey. And more, if those firms end up being fined.


So, the case for change is here. And it should be focused on a new approach to the identification and implementation of LRRs. It should focus on an end-to-end integrated approach to regulatory compliance based on a principle of “compliance by design”.

The easy solution is to implement more controls, more procedures and fundamentally not change the business by treating regulatory compliance as an add-on. But this defies the purpose of what regulations is all about and explains why so many implementations fail. It also explains why regulatory costs have been ballooning for years.

This becomes a vicious circle. As implementations fail, regulators are tempted to take even more corrective actions, adding to the complexity.


So, for them, a good place to start would be to define from the outset – and in plain English – what a successful implementation would deliver to end clients and market stability; and have firms demonstrate 1) the benefits accrued against set principles and 2) how their activities have been changed or transformed to get there and ensure ongoing compliance.


This is a multi-billion opportunity in terms of cost savings and potential new revenues. So, who will grasp it?


Learn more about Aevitium Risk and Compliance consultancy can help you with your regulatory compliance activities.


Frequently Asked Questions (FAQs)


What is regulatory compliance in financial services?

Regulatory compliance in financial services refers to the process by which firms ensure they meet legal, regulatory, and supervisory requirements. This includes following rules issued by bodies such as the FCA, PRA, SEC, and ESMA, covering areas like conduct, risk management, capital adequacy, data privacy, and consumer protection.


What is compliance by design?

Compliance by design is an approach where regulatory requirements are embedded into business processes, systems, and culture from the outset. Instead of treating compliance as an afterthought or add-on, this method integrates it into product development, governance, decision-making, and operational workflows.


Why do regulatory implementations fail?

Regulatory implementations often fail due to poor planning, lack of cross-functional ownership, overreliance on control layers, and a short-term focus on “day one” compliance. This results in duplicated effort, increased complexity, and ongoing remediation costs.


How can financial firms achieve sustainable regulatory compliance?

Firms can achieve sustainable compliance by investing in horizon scanning, aligning regulatory obligations with business strategy, defining ownership, and embedding compliance into core systems. Strong governance, proactive monitoring, and consistent training are also key components.


What are the benefits of compliance by design?

Compliance by design reduces long-term costs, simplifies controls, supports consistent decision-making, and improves transparency. It allows firms to meet regulatory expectations more efficiently while building trust with clients, regulators, and stakeholders.


What is horizon scanning in regulatory compliance?

Horizon scanning is a structured process for identifying and assessing upcoming laws, rules, and regulatory changes that may affect a firm. It supports early action, better planning, and informed decision-making across compliance, legal, risk, and operational teams.


How much does regulatory compliance cost financial firms?

According to industry research, regulatory compliance can cost financial institutions between 6 to 10 percent of their annual revenue. These costs increase significantly in the event of non-compliance, due to fines, remediation efforts, and reputational damage.

Comentários

bottom of page